Flow Collection (sFlow / NetFlow / IPFIX)
Ingest sFlow v5, NetFlow v5/v9, and IPFIX directly from your routers and switches for upstream DDoS visibility
/proc/net/dev detection. The agent uses whichever reading is higher for threshold comparison.Overview
The ftagent natively ingests flow telemetry from your network infrastructure. Point your router's flow export at the agent and it processes flow records in real-time, giving you upstream visibility before attack traffic reaches the server. This is especially valuable for environments where packet capture is not feasible: cloud VPCs, managed infrastructure, and high-throughput 100G+ links.
Supported Protocols
| Protocol | Standard | Default Port | Format |
|---|---|---|---|
| sFlow v5 | RFC 3176 | 6343 | Sampled packet headers with interface counters |
| NetFlow v5 | Cisco proprietary | 2055 | Fixed-format 48-byte flow records |
| NetFlow v9 | RFC 3954 | 2055 | Template-based with automatic template caching |
| IPFIX | RFC 7011 (NetFlow v10) | 4739 | Template-based with enterprise information elements |
The agent auto-detects the protocol version from incoming datagrams. You can also force a specific protocol in the per-node configuration.
How It Works
- UDP Listener: The ftagent starts a UDP listener on the configured port (per-protocol defaults above)
- Protocol Parsing: Binary parsers decode incoming datagrams. sFlow v5 sampled packet headers, NetFlow v5 fixed-format records, and NetFlow v9/IPFIX template-based records with automatic template caching
- Normalization: Flow records are normalized and aggregated into 1-second PPS/BPS windows, accounting for sample rate
- Merge: The detection loop compares flow-derived metrics with local
/proc/net/devreadings and uses the higher value for threshold comparison - Enrichment: During attacks, flow-sourced top source IPs and destination ports are included in the initial incident report for immediate visibility
Configuration
Flow collection is configured per-node from Dashboard → Nodes → [Node] → Flow Collection tab.
| Setting | Description | Default |
|---|---|---|
| Protocol | Which flow protocol to listen for (sflow, netflow5, netflow9, ipfix, auto) | auto |
| Listen Port | UDP port for incoming flow data | 6343 (sFlow), 2055 (NetFlow), 4739 (IPFIX) |
| Sample Rate | The sampling rate configured on your router (used for PPS/BPS calculation) | 1:1000 |
| Allowed Source IPs | Restrict flow ingestion to specific router IPs (comma-separated) | Any |
Router Configuration Snippets
Copy-paste these into your router to start sending flow data to the ftagent.
Juniper (sFlow)
set protocols sflow collector <AGENT_IP> udp-port 6343 set protocols sflow interfaces ge-0/0/0 set protocols sflow polling-interval 10 set protocols sflow sample-rate ingress 1000
Cisco IOS-XE (NetFlow v9)
flow exporter FLOWTRIQ destination <AGENT_IP> transport udp 2055 export-protocol netflow-v9 template data timeout 60 ! flow monitor FLOWTRIQ-MON exporter FLOWTRIQ record netflow ipv4 original-input ! interface GigabitEthernet0/0 ip flow monitor FLOWTRIQ-MON input
MikroTik (NetFlow v9 / IPFIX)
/ip traffic-flow set enabled=yes interfaces=ether1 /ip traffic-flow target add dst-address=<AGENT_IP> port=2055 version=9
Recommended Sample Rates
| Link Speed | Recommended Sample Rate |
|---|---|
| 1 Gbps | 1:500 |
| 10 Gbps | 1:1000 |
| 40 Gbps | 1:2000 |
| 100 Gbps | 1:4096 |
Higher sample rates give more granular visibility but increase CPU usage on the router. For DDoS detection, 1:1000 is sufficient for most deployments.
Flow Mirroring
In addition to ingestion for detection, Flowtriq can mirror received flow data to additional destinations via UDP. This lets you feed the same telemetry to your existing NMS, SIEM, or capacity planning tools alongside Flowtriq. Configure mirror destinations from Dashboard → Nodes → [Node] → Flow Collection → Mirror.